Italian universities started to sell students' privacy to big corps through email accounts

Sat Aug 22 12:41:25 UTC 2015

On Saturday 22. August 2015 10.34.24 Valentino Santori wrote:
> Hi fellows,
> 
> I would like to report a very bad situation for student's privacy in
> the public education system, here in Italy. Many universities, and as
> far as I know even high schools, are migrating from self-hosted mail
> servers to propietary, big-corp's owned email accounts. This without
> any chance to refuse the creation of this account, because this is
> created during the subscription to the faculty, and without any
> privacy agreement.

I think such practices are becoming widespread, and it would be interesting to 
do a survey to see which institutions are doing so.

In higher education, there is a shift towards cloud providers for basic 
services like e-mail and collaboration, and here in Norway various 
institutions have apparently already moved to Microsoft Office 365 in some 
form [1, 2]. Indeed, it would seem that there is a sector-wide plan to adopt 
Microsoft cloud-hosted products which will probably be formalised by the 
coordinating organisation, UNINETT, whose Web site is poorly organised and 
thus not as transparent as one might like (and whose conferences are sponsored 
by some of the companies whose products they intend to roll out [3]).

Expect Skype-specific infrastructure and principally Office 365, although they 
claim that they are also looking at other cloud product providers and 
assessing the legality. I have also seen documents [4] describing the actual 
strategy as opposed to the publicly-announced strategy.

> I can report my personal experience and others I know:
> Università Politecnica delle Marche (located in Ancona) used to adopt
> a self-hosted Squirrelmail soultion, now It's migrating to Microsoft
> Hotmail;
> Università degli studi di Ferrara is using Gmail;
> Università degli studi di Parma is using Gmail;
> Università degli studi di Bologna is using Microsoft Hotmail.

Hotmail users will undoubtedly be encouraged to move to Office 365. Meanwhile, 
the nature of adoption of these cloud services may well involve reassurances 
that the data won't really be held in the US or outside the country but that 
some kind of "licensed cloud" will be used instead. Presumably, such a 
licensed cloud would just be the use of proprietary software on taxpayer-
funded infrastructure, maybe in an even more restrictive way than traditional 
proprietary software because these services are not necessarily software 
products that are obtained and installed normally. (Remember the Google search 
appliance and how it was a box you installed in your network?)

In reality I think that institutions will end up using Microsoft's own hosting 
via what was known as their Live at edu service, which is now part of their 
Office 365 offering [5]. I know from personal experience that university 
decision-makers regard Microsoft as a friendly partner who would never hurt 
their customers, and they appear to regard all the reports of surveillance 
without any concern at all.

> In Italy laws are very strict in terms on privacy and I think that
> since we are talking about a public service this issue It's even more
> serious.
> What's your opinion about? Can we move somehow?

Well, there are laws in Norway about this, too. Hence the remark that the 
legal situation is supposedly being reviewed. But in practice, various 
institutions are using the Microsoft cloud products already with only some 
holding back in order to legitimise the inevitable decision to use them as 
well [6]. (I note this because this is how the decision-makers work: they use 
a review of the suitability or legality as a cover for doing what they want 
anyway, and then they announce that everything was actually fine in the end 
and that their intended plan has already been carried out. You end up 
discussing a decision that was taken long ago and probably mostly implemented 
already.)

There is also a distinction in Norway between students and employees of 
institutions. Employees, at least in the public sector, are protected by laws 
that forbid data from being sent off over the Internet to some random place 
where it isn't safeguarded. (I guess it's the data that is actually protected, 
but then the employees cannot be pushed out into the cloud for their work-
related services because they'd be processing the data in some inappropriate 
place.) Meanwhile, students appear to be commodities that can be farmed out in 
the way that is cheapest for the institution.

Sorry for the long response! Can we do anything about it? If laws and 
regulations about privacy and competition were upheld, maybe we could, but I 
haven't seen much evidence of that going on in recent times.

Paul

[1] Just searching for "Office 365" on this page listing single sign-on 
integration indicates how much it has been used: 
https://www.feide.no/tilgjengelige-tjenester

[2] 70% of students and employees in the sector have Office 365 access 
according to this: http://www.usit.uio.no/prosjekter/o365/

[3] Conference sponsors: https://www.uninett.no/uninett-
konferansen-2015/sponsorer

[4] http://slashdot.org/submission/2683909/end-of-the-line-for-linux-in-
norways-educational-system

[5] https://en.wikipedia.org/wiki/Live%40edu

[6] A document indicating how University of Oslo decision-makers really want 
to take advantage of Microsoft bundling deals to use Office 365 while at the 
same time making the necessary noises about privacy and legal requirements: 
http://www.usit.uio.no/prosjekter/o365/mandat/office365-saksnotat-i-
rektoratet-190315.pdf